2014-07-28 19:00:00
mitre
PUBLISHED
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendors intended security policy if the user does not run Elasticsearch in its own independent virtual machine.